Forum Discussion
Send /var/log/ltm on syslog destination without AUDIT logs
Hello everyone,
I'm trying to filter just /var/log/ltm logs in F5 version 13.1.1.4, but with my configuration I can't filter the AUDIT logs, is still sending it to my syslog destination.
I configured this in syslog all-properties:
include " filter syslog_level { facility(local0) and level(debug..crit); };
filter no_audit { not match ("AUDIT"); };
destination remote_server {
udp(\"172.16.10.26\" port(4000));
};
log {
source(local);
filter(syslog_level);
filter(no_audit);
destination(remote_server);
};
"
But, when I tried to restart the service syslog-ng, shows the next message: WARNING: the match() filter without the use of the value() option is deprecated and hinders performance, please use a more specific filter like message() and/or program() instead.;
Any ideas how can I just receive /var/log/ltm on my syslog destination?
Thanks in advanced.
Hello Berenice,
You're on the right track; your syntax is just a little off. Match now requires the use of "value()"
So I think something like
filter no_audit { not match ( value=("AUDIT") ); };
Best of luck,
Austin
- AMiles_377865Cirrocumulus
Hello Berenice,
You're on the right track; your syntax is just a little off. Match now requires the use of "value()"
So I think something like
filter no_audit { not match ( value=("AUDIT") ); };
Best of luck,
Austin
- bortega_340015Nimbostratus
Hello Austin,
Thanks for your help. I modify the filter as you told me, but it shows a syntax error. However, your reference helps a lot. I find how to configure the filter like:
filter no_audit { not match (AUDIT value(MESSAGE) ); };
And it worked. Thanks.
Hello
did it change in 17.1*?
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com